Cyber security professionals often harp on the importance of businesses adopting the latest technologies–Next-Generation Firewalls, cloud-connected-everything, two-factor authentication, and much, much more– to protect their enterprises from attack; However, none of these defenses are effective in the least if their operators are not aware of the vulnerabilities and threats that face them. Who are these operators? Your employees–and they need to know how to protect themselves and your company from attack.
Employee error was sited as the number one cause of data breaches in 2015, and though a small portion of these might have been caused intentionally by malicious employees, IT pros believe that nearly 80% of breaches they deal with are caused by employee negligence and lack of cyber security knowledge. As Sir Francis Bacon and the characters on Schoolhouse Rock have taught us all, knowledge is power. It’s the kind of power that, when spread to others, makes us all stronger as a unit–and this applies to companies as well. You can strengthen your company’s overall cyber security defenses by educating your employees with these helpful tips:
Implementation of Password Best Practices
Almost every one of us could fill a Rolodex with the number of websites we subscribe to which require some sort of password to access the specific account, so it seems obvious that password security is a key issue when it comes to protecting yourself while online; however, in a world where ‘123456’ and ‘password’ still top the list as the most popular passwords, it is worth reviewing with your employees some of the ‘password best practices.’
- Create unique, strong passwords for each account—Employees should create passwords that are longer than 8 characters in length, have a combination of letters, numbers, and symbols, and these passwords should not contain “guessable” words and phrases, such as employee’s username or the company name.
- Change passwords often—Of those surveyed, 76% of employees are prompted by IT to change passwords on work accounts every 1-3 months. This not only allows for current employees to protect their active accounts, but it gives the IT department the ability to detect dormant accounts which are often the gateways which leave a company vulnerable to attack.
- Require multi-factor authentication—In addition to passwords, many companies require their employees to enter in another identifier in order to indicate their true validity. These include things such as a time-sensitive code, facial recognition, fingerprints, and even retina scan.
Training of All Employees
- Have a cyber security plan–All companies should have a strong cyber security plan in order to protect their business. Many people think that the IT department of a company is the only place where people need to be well-versed in all that is cyber security, including knowledge of the company’s cyber security plans; however, the reality is that protecting a company on the cyber front is the responsibility of all employees. Pat Toth, a Supervisory Computer Scientist at NIST, said, “You can’t just rely on one person in a 10-person company; everyone needs to have a good understanding of cybersecurity and what the risks are for the organization.”
- Educate everyone–Toth’s sentiment not only applies to lower level employees, or even solely to mid-level employees and below–Everyone from the CEO on down to the newest employee should be knowledgeable, not only of the corporation’s cyber security plan, but also current cyber threats and how to identify them.
- Threat awareness & testing—Ransomware and DDoS have plagued companies more than ever in 2016, and the primary way they got access to private information has been through phishing schemes. Phishing occurs when impostors pose as reliable entities, such as banks, universities, or other well-known companies, via electronic communication, to solicit personal information which they can then use to steal people’s identities or infect their computers with malware. Employees receive emails with a suspicious link and when they click on it, they are infected with some cyber-attack which can either leak data from their own computer, or give the hacker unauthorized access to vital information. It is important for corporations to train their employees to be able to spot such threats. Companies like J.P. Morgan have taken a different approach to training employees on this when they sent out fake phishing emails to employees shortly after training them on the cyber-scheme. They were able to trick 20% of their employees–a scary thought when factoring in the massive size of the company.
- Secure handling of sensitive data—Employees need to know how to handle your company’s sensitive data. Be it digital encryption or hard copy paper shredding, employees need to take every precaution when it comes to protecting your data. Though it is important for employees to do things such as back up information to an external hard drive, they should be responsible in making sure that that is not stored in an easily accessible place.
Promotion of Open Communication Among All Employees
If an employee finds a suspicious email in their inbox, they should feel comfortable verifying its validity with others. It is important for employees to be able to ask questions when they are in doubt, as this shows that they have paid attention during training sessions and don’t want to do something that would put the entire company in jeopardy. Promoting open communication about cyber security best practices among all employees will help them to learn from and teach each other, making every member of the company cyber-aware.
Educated employees are able to recognize threats and they continually take simple steps that allow them to practice strong cyber security defenses– if you fail to teach your employees how to defend against attack in the first place, it is not them who have failed the company, rather you. By making your employees cyber-aware, you can protect your business better than with any other piece of machinery. Employees don’t have to be tech savvy to be technologically responsible and aware of their impact on the company’s overall cyber security.
For more tips on how to keep your employees educated on the latest cyber security threats, read Employees: The Greatest Risk and Defense In Cyber Crime, written by Axiom Cyber Solutions President, Shannon Wilkinson.
Hailey R. Carlson | Axiom Cyber Solutions | 12/22/2016